> From: John Franks <john@math.nwu.edu>
> Another question: Unless I am mistaken, at one point in the long
> sequence of digest drafts, the Authentication-Info header could be
> supplied by either the server or the client. It would be useful
> for the client to be able to supply the digest of POSTed data
> or a file which is PUT. Being able to assure the integrity of
> client supplied data would be very useful. Did this fall through
> the cracks, or am I just missing this functionality somewhere in
> the draft?
It is in the Authorization header now. In section 3.2.2, it says:
] request-digest = <"> < KD ( H(A1), unq(nonce-value)
] ":" nc-value
] ":" unq(cnonce-value)
] ":" unq(qop-value)
] ":" H(A2)
] ) <">
...
] If the "qop" directive's value is "auth" or is unspecified, then A2 is:
]
] A2 = Method ":" digest-uri-value
]
] If the "qop" value is "auth-int", then A2 is:
]
] A2 = Method ":" digest-uri-value ":" H(entity-body)
So A2 in the response digest (poor name, that, because it is the
response to the challenge, but it appears in a request) contains the
hash of the body. That way we don't need another header. I don't
believe that we specified that this may appear in a trailer,
though.